£25,000 ICO fine is no drop in the ocean for Mermaids


On July 8, 2021, the ICO exercised its powers under Article 83 of the GDPR and issued a fine of £ 25,0001 (“MPN“To the UK Gender Variant and Transgender Youth Charity, Mermaids, for the known failure to take appropriate technical security measures to protect the personal data of their users, in violation of Article 5 (1) (f) and Article 32 of the GDPR.

While £ 25,000 appears to be a relatively modest fine compared to the fines the ICO has imposed on British Airways and Marriott International, the Mermaids fine in context actually makes 2.8% of the charity’s annual amount of revenue. This is a far higher percentage of revenue than revenue spent on corporate giants British Airways (1.5%) and Marriott (less than 1%) following their large-scale multinational data breaches. It is noteworthy that the MPN specifically states that the mermaids’ total income over the past three years was a relevant factor in determining the size of the penalty.

The mermaid fine serves as a salutary message to organizations of all sizes and sectors, including charities, that they too can face the full force of the enforcement powers of the ICO if they have “negligent privacy practices” because “although we do what matters acknowledge “Work that charities do cannot be exempted from the law” (Steve Eckersley, Director of Investigations).

What happened?

Mermaids is a charity that supports gender specific children, teenagers and their families. The ICO’s investigation focused on an internal email group ([email protected]) was set up and used by Mermaids between August 2016 and July 2017. It was not until June 14, 2019 that a service user informed Mermaids that these internal e-mails were publicly available online. The mother had been contacted by a Sunday Times journalist who had found confidential email through a search engine with her phone number and information about her child’s mental and physical health. Mermaids received notice from the Sunday Times regarding their intention to publish an article about it.

The email group was listed in the Groups.IO search directory and indexed on major search engines such as Google. As a result, the e-mails were accessible to third parties and contained personal data of a “large group” of 550 people, including 4 children.

Mermaids have been criticized for lacking records or documentation explaining exactly how the group email service was created. They were unable to determine if the emails were deliberately left accessible (to allow for general discussion) or if it was a mistake not to choose a safer option. In each case, the standard security settings applied were classified as “unsafe and inadequate”.

The central theses

“The likely increased vulnerability of an affected person in turn increases the risk of damage or stress”.

The Commissioner stressed that the issue of gender incongruity is still viewed as a controversial and sensitive issue and can lead to increased vulnerability if the potential harm to those affected is taken into account, as they are “at greater risk of prejudice, harassment and physical abuse to suffer ”. or hate crime ”.

For 15 of the persons concerned, the e-mails contained special category data, such as information on mental or physical health, sex life or sexual orientation. However, the ICO also considered conversations about transgender issues and personal experiences of individuals to be sensitive in context, and it was confirmed by the data subjects concerned that the breach caused significant harm and suffering, regardless of whether any special category data was disclosed or not.

“An aggravating factor is the duration of the infringement …”

Although the last email was sent on July 21, 2017, the internet-based email group remained searchable and viewable online until remedial action was taken almost two years later, in June 2019, and the group established or retired but remained accessible to third parties and seemed to have been forgotten. Access could easily have been restricted to approved members of the email group if appropriate restricted access settings had been set up.

“The nature of the violations remains unaffected by the unanswered question to what extent one or more other third parties have accessed the data.”

In other words, the number of unauthorized views doesn’t matter. The ICO was unable to determine the extent of the unauthorized views by one or more third parties, but this did not have a mitigating effect on the ICO’s assessment of the gravity of the violation. The significance of the violations was also unaffected by how easily other third parties could access the data, either by accident or simply through an accurate and unusual syntactic search.

“The data protection guidelines were inadequate and there was a lack of adequate training, including personal training, on data protection.”

Despite the fact that mandatory privacy training was offered to all Mermaids staff and volunteers and updated annually, the ICO believed that the persistent violations were not detected by anyone at Mermaids, that the training was inadequate and / or ineffective, and that “a there was negligent handling of data protection “.

The Commissioner fully acknowledged the profile that mermaids had raised in recent years and concluded: “Regulatory action against mermaids will serve as an important deterrent to any other entity or person who does not comply with the GDPR or is at risk not to meet their obligations under the GDPR. ”